Re: [cti] Proposed normative text available for Report object refactoring - (Goal: Reach official consensus by Monday)

["Jordan, Bret" <bret.jordan@bluecoat.com>]

For reports, do we really want to create a report object with nothing in it and then have a series of relationships where so much of the meta-data is replicated?  I had kind of envisioned the Report object being a bit "special".  Meaning that you would be able to include a series of references to objects that were all PART of the report.  The report object is just a special object and differs from other objects in STIX and the package.  

{
  "type": "report",
  "id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
  "created_at": "2015-12-21T19:59:11.000000+00:00",
  "title": "The Black Vine Cyberespionage Group",

  "descriptions": [

    "A simple report"

  ],
  "intents": ["Threat Report"],
  "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",

  "reported_objects": [

    "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",

    "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d3",

    "campaign--26ffb872-1dd9-446e-b6f5-d58527e5b523"

    "ttp--26ffb872-1dd9-446e-b6f5-d58527e5b5d4",

    "threat-actor--26ffb872-1dd9-446e-b6f5-d58527e5b5d5"

  ]  
}

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Feb 11, 2016, at 08:17, Barnum, Sean D. <sbarnum@mitre.org> wrote:

Refactoring of the Report object based on our breaking out of relationships is one of the issues that we seem to have general consensus on but have not yet agreed to normative text.

Proposed normative text is now available for your review in the STIX 2.0 Specification Pre-draft document.

It is fairly straightforward and should not take long to consider.

Please review the normative text and add comments to the document for any concerns, questions or ideas you may have.

If we do not see any significant concerns/objections to the normative text by Monday we will consider this issues to have officially achieved consensus and move on to others.

For the quick convenience of anyone having difficulty accessing the live specification pre-draft document the relevant text is included below.

Report Object

The Report Object is a mechanism for relating a collection of STIX TLOs together according to some shared context.  

Inherited Fields

The Indicator object would inherit the CTI Core Properties and the CTI Descriptive Properties.

Proposed Fields

Property Name	Type	Description
intents (required)	array of type report-intent-type	Specifies the intended purposes or uses of this Report.
intents_ext (optional)	array of type vocab-ext	Specifies alternate intended purposes or uses of this Report.

Example (using only created_by_ref for brevity)

{

 "type": "package",

 "id": "package--44af6c39-c09b-49c5-9de2-394224b04982",

 "sources":

   {

     "type": "identity",

     "id": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",

     "name": "Symantec",

   }

 ],

  "reports": [

   {

     "type": "report",   

     "id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",

     "created_at": "2015-12-21T19:59:11.000000+00:00",

     "title": "The Black Vine Cyberespionage Group",

     "description": "A simple report with an indicator, campaign and a relationship between them",

     "intents": ["Threat Report"],

     "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"

   }

 ],

 "indicators": [

   {

     "type": "indicator",

     "id": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",

     "created_at": "2015-12-21T19:59:17.000000+00:00",

     "title": "Some indicator",

     "indicator_types": ["IP Watchlist"],

     "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"

   }  

 ],

 "campaigns": [

   {

     "type": "campaign",

     "id": "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",

     "created_at": "2015-12-21T19:59:17.000000+00:00",

     "title": "Some Campaign",

     "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"

   }

 ],

 "relationships": [

   {

     "type": "relationship",

     "id": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",

     "created_at": "2015-12-21T19:59:17.000000+00:00",

     "from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",

     "to": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",

     "relationship_nature": "Report Contains",

     "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"

   },

   {

     "type": "relationship",   

     "id": "relationship--72f666b6-f1db-4b2c-82e3-71ab49a84be1",

     "created_at": "2015-12-21T19:59:17.000000+00:00",

     "from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",

     "to": "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",

     "relationship_nature": "Report Contains",

     "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"

   },

   

   {

     "type": "relationship",

     "id": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",

     "created_at": "2015-12-21T19:59:17.000000+00:00",

     "from": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",

     "to": "campaign--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",

     "relationship_nature": "Related Campaign",

     "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"

   },

   

   {

     "type": "relationship",

     "id": "relationship--a05d8c6a-ccea-4a0a-a8e0-68dfe85fbfa9",

     "created_at":"2015-12-21T19:59:17.000000+00:00",

     "from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",

     "to": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",

     "relationship_nature": "Report Contains",

     "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"

   },

 ]

}

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail